Use-after-free in extract() with EXTR_REFS

Fixes GH-18209 Closes GH-18211
2025-08-15 21:48:51 +02:00 · 2025-03-31 22:06:17 +02:00 · 2025-03-31 22:06:17 +02:00 · a21065e6eb
commit a21065e6eb
parent 13d51f895b
3 changed files with 27 additions and 1 deletions
--- a/1
+++ b/1
@ -9,6 +9,7 @@ PHP                                                                        NEWS
 - Standard:
  . Fixed bug GH-18145 (php8ts crashes in php_clear_stat_cache()).
    (Jakub Zelenka)
+  . Fixed bug GH-18209 (Use-after-free in extract() with EXTR_REFS). (ilutov)

 10 Apr 2025, PHP 8.3.20

--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@ -1863,8 +1863,10 @@ static zend_long php_extract_ref_overwrite(zend_array *arr, zend_array *symbol_t
 			} else {
 				ZVAL_MAKE_REF_EX(entry, 2);
 			}
-			zval_ptr_dtor(orig_var);
+			zval garbage;
+			ZVAL_COPY_VALUE(&garbage, orig_var);
 			ZVAL_REF(orig_var, Z_REF_P(entry));
+			zval_ptr_dtor(&garbage);
 		} else {
 			if (Z_ISREF_P(entry)) {
 				Z_ADDREF_P(entry);
--- a/ext/standard/tests/gh18209.phpt
+++ b/ext/standard/tests/gh18209.phpt
@ -0,0 +1,23 @@
+--TEST--
+GH-18209: Use-after-free in extract() with EXTR_REFS
+--CREDITS--
+Noam Rathaus (nrathaus)
+--FILE--
+<?php
+
+class C {
+    public function __destruct() {
+        var_dump($GLOBALS['b']);
+        $GLOBALS['b'] = 43;
+    }
+}
+
+$b = new C;
+$array = ['b' => 42];
+extract($array, EXTR_REFS);
+var_dump($b);
+
+?>
+--EXPECT--
+int(42)
+int(43)